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About me 


» First to hack the iPhone and G1 Android phone 
■ Winner of CanSecWest Pwn20wn: 2008-2011 
» Author 

* Fuzzing for Software Security Testing and Quality Assurance 
■ The Mac Hacker’s Handbook 


« The iOS Hacker’s Handbook 

* PhD, CISSP, GCFA, etc. 

* Not a member of iOS Developer Program 
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Agenda 


« Motivations 

■ NFC basics 

« Fuzzing NFC stacks 
« Beyond the NFC stack 

■ Potential attacks and demos 

■ Samsung Nexus S/Galaxy Nexus (Android) 

■ Nokia N9 (MeeGo) 
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Motivation 


COMPUTERWORLD 


Microsoft brings NFC payments and loyalty 
Windows Phone 8 


By DonaldMelanson □ posted Jun 20th 201212:35PM 


Topics 

News 

In Dp 



I 5. The Most Complete Wallet Exper 


ENTERPRISE MOBILE NUB - 

- n* 


Samsung brings NFC tagging to the Galaxy S3 


Launches programmable Tectile stickers 
By Carly Page 


> . 

: 

NFC to come as standard on all Nokia 
phones 


Credit & Debit Cards 
Loyalty & Membership Cards 
Access Saved Deals 
Supports NFC 'Tap to Pa/ 


wallet 

fast cards 


ibscribe 


Follow @jonnyevans_cw ^ Foil 


Future handsets to have the chip inside 


Apple patent suggests NFC for iPhone 5 



NFC Predictions by Deloitte : 200 Million NFC Devices by 2012 End 



NFC is coming to a phone near you 


NFC represents new “server-side” attack surface 


It is very hard to test NFC implementations 


Thursday, July 12, 12 









NFC attack surface 


■ I want to provide a means to test new/existing NFC stack 
implementations 

■ Others have looked at NFC security in general such as payment 
systems, phishing with posters, etc, 

* zvelo: Google wallet PIN brute forcing 

* Intrepidus Group: Misdirecting four square, malware and NFC intents, 
parking meters, etc 

* Ruhr University: MIFARE encryption cracking 

* MWR: bus passes, gym memberships, etc 

« Collin Mulliner: URL spoofing, snacks from vending machines 
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IB1 op ii [7] 

WJ a 9:17 

Taglnfo 

< 1 

H \ 

INFO NDEF 

EXTRA 

TECH 

ISO/IEC 14443-3 (Type A) compatible 

ISO/IEC 14443-2 (Type A) compatible 


■ Android technology information 


android. nfc.tech.MifareUltralight 
android. nfc.tech.NfcA 

► Maximum transceive length: 253 bytes 

► Default maximum transceive time-out: 618 ms 
Tag description: 

► TAG: Tech [android.nfc.tech.MifareUltralight, android. 
nfc.tech.NfcA] 

■ Detailed protocol information 

ID: 04:FE:C4:1 A:48:27:80 
ATQA: 0x4400 
SAK: 0x00 


■ Memory content 



[00] 

* 04:FE:C4 B6 (UID0-UID2, 

BCC0) 

[01] 

* 1A:48:27:80 ( 

:UID3-UID6) 


[02] 

. F5 48 00:00 ( 

:BCC1, INT, 

L0CK0-L0CK1) 

[03] 

. F4:OF:FF:1F ( 

;0TP0-0TP3) 


[04] 

. C6 EC 0C 9C 

.... 1 


[05] 

. E3 ED DA 6A 

...Jl 


[06] 

. 9B 8E 9F 82 


[07] 

[08] 

[09] 

m at 

. F9 FD A5 29 
. F2 A6 19 A0 
. 6B E9 68 90 

nn r\n nn nn 

...)l 

k-h- | 

1 .... 1 

HP 
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Similar work to this 


« Collin Mulliner: Manual fuzzing, NFC emulation with 
memory injection in Android 

« Verdult and Kooman: Practical attacks on NFC enabled 
cell phones (Nokia 6212) 

* Dan Rosenberg: Vulns in (unused) Linux kernel NFC 
stack 
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NFC basics 


« Set of communication protocols based on RFID 
standards including ISO 14443 

« 13.56 Mhz operating frequency +/- 7kHz 

« Operating range less than 4 cm 

« Data rates: 106, 212, 424 kbits/s 
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How close 


* Close but not touching 
« Can read card through wallet in pocket 
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Close in practice 
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NFC and the screen 


« NFC is typically on when the phone’s screen is on 

* i.e. not when phone is “asleep” 

« ICS - only on when phone is unlocked 

« Can wake up the phone if you know the target’s phone 
number 
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Communication modes 


« Passive 

« Initiator provides carrier fields 

* Target modulates existing field 

« Active (P2P) 

« Initiator and target 
communicate by generating 
their own fields 



Specs 


r "vrf - b^ ~w# 1 

Mr t~4 9-J r-4 (*/ >V ►/ r-* tJr 



NFC Forum specification 
□ Vendor specific 

International standard 
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NFC Forum specification 
□ Vendor specific 

International standard 
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Physical and RF layers 


« ISO 14443A-2 


« 106 kbits/s, modified Miller coding with 100% 
modultation 


Test 



Thursday, July 12, 12 

























NFC waveform 


« 100% ASK using 
Manchester decoding 

« 0x26 = SENS_REQ 
(ISO 14443-3) 

... 11111010110101101101101111 ... 

sOllOOlOe 

0100110 = 0x26 = SENS REQ (ISO 14443-3) 
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NFC Forum specification 
□ Vendor specific 

International standard 
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Initialization, anti-collision, 
protocol activation layers 


« Detect presence of other NFC devices 
« Initialize communication 
« Little data exchanged 
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NFC Forum specification 
□ V#fldot specific 

International standard 
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Protocol layer 


« Type 1 (Topaz) 

« MIFARE Classic 
« Type 2 (MIFARE UltraLight) 
« Type 3 

« Type 4 (DESFire) 

« LLCP (P2P) 
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Type 2: MIFARE UL 


Command set: READ, WRITE, SECTOR SELECT, 
ACK, NACK 


Byte Number 


UID / Internal 

Serial Number 

Internal / Lock 

r cc 

Data 

Data 

Data 

Data 

Data 

Data 

Data 

Data 

Lock / Reserved 

Lock / Reserved 

Lock / Reserved 


Interna 10 


Internal 


Internal8 


CCO 


DataO 


Data4 


DataS 



Data9 


DataS 



Intemall 


Internals 


Intemal9 


CC1 


Datal 


Irterral2 


Irternal6 


CC2 


Data2 


lnteTial3 


InteTiaiL 


Lockl 


CC3 


Data3 


Data7 


Data 11 


Block 

0 


2 

3 

4 

5 

6 

• 


• 

• 

n 

• 

• 

k 


Capability 

container 


NDEF data 
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Type 4: DESFire 


« Command set: SELECT, READ, UPDATE 
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More type 4 


« Typical command flow: 

* NDEF Tag Application select 
« Capability Container select 

* Read Binary from CC file 

* NDEF select 

« ReadBinary from NDEF 
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LLCP 


■ PDU types 

■ SYMM, PAX, AGF, Ul, CONNECT, DISC, CC, DM 
FRMR, I, RR, RNR, SNL 


LLCP Header -1- LLCP Payload 


DSAP 

PTYPE 

SSAP 

Sequence 

MTS) 'vt.P. 

Information 

6 bits 

4 bits 

6 bits 

0 or 8 bits 

M x 8 bits 


7|6|5|4|3|2|l|o 

7 | G | 0 | 4 | 3 | 2 | 1 | 0 

7 UI 5 

413 |2 | 1 |01 

|y |e|sU|3|2| 1 |o| - |7|6|sM3.2 

1 1 lol 

byte offset 0 

byte of set 1 

byte offset 2 

byte offset 2 or 3 — cepends on PTYPE 


DSAP = Destination service access point address field 

PTYPE = Payload data unit (PDU) type field 

SSAP = Source service access point address field 

Sequence = Sequence field (8 bits for formats that include sequence 

numbers, and 0 bits for formats that do not) 

Information = Information field (M is an integer value between and 
including 0 and the maximum information unit MIU 
defined in this specification: * denotes multiplication) 
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Sample LLCP exchange 


« Initiator sends CONNECT PDU with connection 
parameters 

* Target responds with CC PDU 

* Initiator sends I PDU 

« Target sends either an I or RR PDU 

« Repeat until one side sends DISC PDU 

« SYMM PDU’s may be sent at any time to prevent timeout 


Thursday, July 12, 12 



Higher level P2P 


« LLCP connects to a transport endpoint 
« NPP (NDEF Push Protocol) 

« service name: “com.android.npp” 

« SNEP (Simple NDEF Exchange Protocol) 
* service name: “urn:nfc:sn:snep” 
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NFC Forum specification 
□ Vendor specific 

International standard 
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Application layer 


■ NFC Data Exchange Format (NDEF) 

« Binary message format 

« Different identifiers to describe types such as URI’s, 
MIME types, NFC-specific type 

■ Specification for NDEF and each well known type 
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Data example 


« Using a Proxmark3 device, can capture data traces 
« Example to come 


* SCL 3711 card reader reading MIFARE UL tag 
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SENS_REQ 

26 

SENS_RES (NFCID1 size: double (7 
44 00 

SDD_REQ CL1 
93 20 

SDD_RES (CT? 04-e3-ef BCC) 

88 04 e3 ef <80> 

SEL_REQ CL1 

93 70 88 04 e3 ef 80 

SEL_RES - Not complete, type 2 
04 <da 17> 

SDD_REQ CL2 
95 20 

SDD_RES (a2-ef-20-80 BCC) 
a2 ef 20 80 <ed> 

SEL_REQ CL2 

95 70 a2 ef 20 80 ed 

SEL_RES - complete, type 2 
00 <fe 51> 


READ - 08 

30 08 <4a 24> 

READ Response 

74 72 61 6c 69 67 68 

READ - 03 

30 03 <99 9a> 

READ Response 

el 10 06 00 03 17 dl 

READ - 04 

30 04 <26 ee> 

READ Response 

03 17 dl 01 13 54 02 

READ - 05 

30 05 <af ff> 
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bytes ), Bit frame SDD) 





Extracted NDEF data 


03 17 dl 01 13 54 02 65 6e 73 75 70 2c 20 75 6c 74 72 61 

6c 69 67 68 74 3f fe 

03 NDEF Message 
17 length 
Record 1 

dl - MB, ME, SR, TNF="NFC Forum well-known type" 

01 Type length 
13 Payload length 
54 Type - "T" 

02 - Status byte - Length of IANA lang code 
65 6e - language code = "en" 

73 75 70 2c 20 75 6c 74 72 61 6c 69 67 68 74 

= "sup, ultralight?" - text 
Record 2 

fe Terminator NDEF 


3f 
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Where might the bugs be? 


« We’ve seen how NFC data passes to the phone 
« Where might the vulnerabilities be lurking? 
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Android NFC stack 
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MeeGo NFC stack 
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Possible bugs 


« Low level 

* The actual NFC parsing code in the (firmware), driver, 
NFC service, etc 

« Higher level 

* Applications which consume data (without user 
interaction) 
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Fuzzing NFC 



Test case 
generation 
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Monitoring 

device 




































Test case generation 


* Mutation based (dumb fuzzing) 

« Add anomalies to “valid” data 
« Change bytes, insert bytes, etc 


Information PDU for LLCP (first is for npp-server, second is for snep server) 

"43200001000000010100000017dl01135402656e7375702c20756c7472616c414141743f", 
"132000100200000017dl01135402656e48656c6c6f414141416c642121212121", 

# Type 4 capability container file 

# "OOOf100054OOff0406el04fffe0000" 

# MF UL memory 

# "0000000000000000cd480000ell012000323", 

# Short Text NDEF(type 54) 

# n dl01135402656e7375702c20756c7472616c696768743f" f 

# Smart Poster NDEF (type 53 70) 

# "D1021B537091010B5500676F6F676C652E636F6D5101085405656E2D55536869", 
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Test case generation 

« Generation based (smart fuzzing) 

« Used Sulley fuzzing framework 

s byte(0xdl, format="oct", name="header", full range=True, fuzzable=True) 



s_size("type block", name="type length", format="oct", length=l, math=lambda x: x/2, 



if s_block_start("long payload long", dep="header", dep_value=16, dep_compare="&"): 

s_size("payload block", format="oct", length = 4, math=lambda x: x/2, fuzzable=True) 
s block end() 


if s_block_start("long payload small", dep="header", dep_value=l6, dep_compare="!&"): 

s_size("payload block", format="oct", length = 1, math=lambda x: x/2, fuzzable=True) 
s block end() 


if s_block_start("id length block", dep="header", dep_value=8, dep_compare="!&"): 

s_size("id block", name="id length", format="oct", length=l, math=lambda x: x/2, fuzzable=True) 
s_block_end () 

if s_block_start("type block"): 

s_string("T", encoding="hex", max_len=250, fuzzable=True) 
s block end() 


if s_block_start("id block", dep="header", dep_value=8, dep_compare="!&"): 

s_string("ID!", encoding="hex", max_len=250, fuzzable=True) 
s block end() 


if s_block_start("payload block"): 
s block end() 
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Delivering testcases... 


« Collin Mulliner originally wrote NDEFs to NFC tags and 
presented it by hand 

« How can we automate this process and fuzz at lower 
levels than just NDEF? 

« We need to emulate an NFC card/device 


Thursday, July 12, 12 




Python module For near Field commu 


Source code ^ 

Documentation 


.scmmicro. 


■■ SC A/l 


Python bindings for libnfc 


readers 


Lots of hardware and software choices 




NXP PN544 


Evaluation 
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o x m 

I full_test X nexus-demod X nexus-demod-mm X 


& 


Options 

ID: topblock 

Generate Options: WX GUI 


|~HK 


Throttle 

Sample Rate: 1.5625M 


File Source 

File: _1562500_40_waveform 

Repeat: No 




Variable 

ID: samprate 
Value: 1.5625M 


Signal Source 
Sample Rate: 1.5625M 
Waveform: Cosine 
Frequency: -3.2k 
Amplitude: 1 
Offset: 0 


Power Squelch 
Threshold (dB): -80 
Alpha:10m 
Ramp: 0 
Gate: Yes 


-►jmT 


Multiply SSt] 


E 


Low Pass Filter 
Decimation: 1 
Gain: 1 

Sample Rate: 1.5625M 
Cutoff Freq: 15Ck 


■ j in Complex to Mag 


Subtract out] 


E 


WX GUI FF 
Title: FFT Plot 
Sample Rate: 
Baseband Fre 

Y per Div: 10 c 

Y Divs: 10 
Ref Level (dB 
Ref Scale (p2 
FFT Size: 1.02 
Refresh Rate 


WX GUI Scope 
Title: Scope Plot 

Sample Rate: 1' 
Trigger Mode: A 
YAxis Label: Col 


L-HE 


File Sink 
File: demod.out 
Unbuffered: Off 


File Sink 

File: ...miller/nexus mag sub 

Unbuffered: Off 


Blocks 

► [Sources] 

► [Sinks] 

► [Operators] 

► [Type Conversion 

► [Stream Conversi 

► [Misc Conversion 

► [Synchronizers] 

► [ Level Controls ] 

► [Filters] 

► [Modulators] 

► [Error Correction 

► [Line Coding] 

► [Vocoders] 

► [Probes] 

► [Variables] 

► [Misc] 

► [Digital] 

► [DigitalModulate 

► [OFDM] 

►[UHD] 

► [MY BLOCKS] 

► [NOAA] 

► [WX GUI Widgets 

► [Pager] 

► [QTGUI Widgets; 


■Showing: "/home/cmiller/nexus-demod-mm.grc" 
Ishowing: "/home/cmiller/nexus-demod.grc" 





































































































































































Memory injection 



















NFC readers that work 


ACS ACR122U with libnfc 1.5.1 

* Card emulation for type 2 and type 4 cards 
SCL3711 with nfcpy 

* LLCP with either SNEP or NPP 


1 • 1 

l . 

1 

! 

1 

■■ SCM 

MICROSYSTEMS 


Python module for near field communication 
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Fuzzable with this setup 


Appfccation Layer 
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NDEF fuzzing 
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NDEF fuzzing 


« Use libnfc utility nfc-emulate-forum-tag4 with fuzzed 
ndef data 

« We use card emulation for Type 4 cards 
« Type 2 restricted to 64/192 bytes of data 


Thursday, July 12, 12 




Type 2 memory fuzzing 


Appfccation Layer 


Tag Types 


Examples 
of products 


Applicatwe Protocol 


Protocol 


Inrtialization 
Anticollision 
Protocol Actuation 


RF 


Physical 

Characteristics 



NFC A 


NFC B 


NFC F P2P 


NFC Forum specification 
u Vendor specific 

International standard 



















































































Type 2 memory fuzzing 

* We fuzz non-NDEF contents of MIFARE UL memory 
« Use modified version of libnfc’s nfc-emulate-forum-tag2 


Byte Number 

0 

i 

2 

3 

Block 


UID / Internal 

InternalO 

IjlIj -LJ -M 

mteman 

Internal 

Internal 

0 

Serial Number 

Internal 

Internal 

Internal 

Internal? 

1 

Internal / Lock 

Internal 

Internal 

LocKO 

Lockl 

2 

CC 

cco 

CC1 

CC2 

CC3 

3 

Data 

DataO 

Datal 

Data2 

Data3 

4 

Data 

Data4 

Data5 

Data6 

Data7 

5 

Data 

Data8 

Data9 

Data 10 

Datal 1 

6 

Data 





. 

Data 





. 

Data 





. 

Data 





• 

Data 





n 

Lock / Reserved 





. 

Lock / Reserved 





. 

Lock / Reserved 





k 


Thursday, July 12, 12 




















































































Type 4 memory fuzzing 


Appfccation Layer 


Tag Types 


Examples 
of products 


Applicatwe Protocol 


Protocol 


Inrtialization 
Anticollision 
Protocol Act nation 


RF 


Physical 

Characteristics 



NFC A 


NFC B 



P2P 


NFC Forum specification 
u Vendor specific 

International standard 































































Type 4 memory fuzzing 

* Use modified nfc-emulate-forum-tag4 
■ We fuzz CC file 



NDEF Tag Application 
(D2760000850101h) 


CC file (E103h) 

NDEF file (E104h) 
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LLCP fuzzing 
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LLCP fuzzing 


■ Use modified version of nfcpy to fuzz CONNECT and I 
PDUS 


DSAP 

PTYPE 

SSAP 

Information 

DDDDDD 

0100 

SSSSSS 

Parameter List 


LzleJ 5 J 4 1 3 1 2 LjJ 0 

7 | 6 1 S 1 4 1 3 

1 2 1 1 0 

7jels|4 13 I 2 I 1 lo 


ItIs15141 3 I 2 111 

ol 

byte offset 0 

byte offset 1 

byte offset 2 

... 

byte offset n-f 


Format of the CONNECT PDU 


DSAP 

PTYPE 

SSAP 

Sequence 

Information 

DDDDDD 

1100 

SSSSSS 

N(S) 

N(R) 

Service Data Unit 


7|e1 5 141 3 121 1 1 0 

7|G|oU|3|2|l |0 

7 1 6|S 1 4|3 1 2 11 |0 

7le|s|4I 3 I 2 I 1 |o 

- | 7 | 6 | 5 | 4 | 3 | 2 1 1 1 0 I 

byte offset 0 

byte offset 1 

byte offset 2 

byte offset 3 

byte offset n-1 


Format of the I PDU 
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“Presenting” the phone 


« Device dependent 
« Android 

* “service call nfc 21/20” 
« MeeGo 

* kill and restart nfcd 


NFC 

Use Near Field Communication to read 
and exchange tags 



NFC 

NFC • 
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Resetting USB NFC reader 

« USB hub that implements port power control 



Checking for crashes 


« Android 
« adb logcat 
« Meego 

* gdb -x gdb.commands -p 'pid of nfcd' 
« diff of process id’s 

set pagination off 

set logging on 

set logging overwrite on 

c 

i r 

q 

y 
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Valid test case instrumentation 


« Android 

■ sqlite3 -line /data/data/com.google.android.tag/databases/ 
tags.db 'select title from ndef_msgs where _id = (select 
MAX(_id) from ndef_msgs) ; ' 

« Meego 
« nfcd -I 5 


* Look in /var/log/syslog 

Jun 20 15:17:26 (2012) nfcd[4433]: DEBUG: nfc_mw_log.c:242:nfc_debug_dump(): 
[0000] dl 02 22 53 70 91 01 Of 54 02 65 6e 58 58 58 58 .."Sp...T.enXXXX 

Jun 20 15:17:26 (2012) nfcd[4433]: DEBUG: nfc_mw_log.c:242:nfc_debug_dump(): 
[0010] 38 32 37 30 37 32 32 32 51 01 0b 55 01 67 6f 6f 82707222Q..U.goo 
Jun 20 15:17:26 (2012) nfcd[4433]: DEBUG: nfc_mw_log.c:242:nfc_debug_dump(): 
[0020] 67 6c 65 2e 63 6f 6d gle.com 
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Fuzzing in 
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Low level fuzzing in action 


« Fuzz targets 

* Nexus S running Android 2.3.3 Gingerbread 
« Nokia N9 1.2 Harmattan PR 1.2 
« 30,000 - 60,000 test cases 

* Each test case took between 5-10 (or more) seconds 
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Test cases used 




Type 4 
LLCP - Connect 
LLCP -1 
NDEF -bitflip 
NDEF - short text 
NDEF - short URI 
NDEF - short SMS 
NDEF - short SP 


NDEF - short BT 
NDEF - long text 
NDEF - long vcard 
Total 


8888 


lu 

■ 

■ LJ 


L ^ 

o 


LJH 


1C 


hArUUU 

rvrvrvrvo 

KKKMK 

00000 




P 

lu 

Kj 


W. M 

l M. > 

fOOOt 

9>oot 


Android test cases 


4000 

4000 

2000 

2000 

9000 

1626 

538 

1265 

2440 

1246 

2440 

32572 

52362 


Meego test cases 
4000 
4000 
2000 
2000 
9000 

H 1626 

538 

1265 

2440 

1246 

2440 

15062 

34852 
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Android Java Exceptions 


H Q t i D illl ■ 11:05 



E/NfcService(17875): failed to parse record 

E/NfcService(17875): java.lang.ArrayIndexOutOfBoundsException 

E/NfcService(17875): at com.android.nfc.NfcService 
$NfcServiceHandler.parseWellKnownUriRecord(NfcService.java:2570) 
E/NfcService(17875): at com.android.nfc.NfcService 
$NfcServiceHandler.setTypeOrDataFromNdef(NfcService.java:2616) 
E/NfcService(17875): at com.android.nfc.NfcService 
$NfcServiceHandler.dispatchTaglnternal(NfcService.java:2713) 


A Sorry! 

The application Tags (process 
com.google.android.tag) has 
stopped unexpectedly. Please 
try again. 



loucn 6i noia an item ana wnen it 
vibrates, drag it where you want. 


3 of 6 
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More Android Java Exceptions 


tflj 


B&8? 


^ 1888 * 




* 


■III 


1:57 


D/NdefPushServer( 3130): java.io.IOException 
D/NdefPushServer( 3130): at 

com.android.internal.nfc.LlcpSocket.receive(LlcpSocket.java:193) 

D/NdefPushServer( 3130): at 

com.android.nfc.ndefpush.NdefPushServer 

$ConnectionThread.run(NdefPushServer.j ava:7 0) 

D/NdefPushServer( 3130): about to close 

W/dalvikvm( 3130): threadid=8: thread exiting with uncaught 
exception (group=0x40015560) 

E/AndroidRuntime( 3130): FATAL EXCEPTION: NdefPushServer 
E/AndroidRuntime( 3130): java.lang.NegativeArraySizeException 
E/AndroidRuntime( 3130): at 

com.android.nfc.ndefpush.NdefPushProtocol.<init>(NdefPushProtocol 
.java:97) 

E/AndroidRuntime( 3130): at 

com.android.nfc.ndefpush.NdefPushServer 

$ConnectionThread.run(NdefPushServer.java:86) 



A Sorry! 

The application Nfc Service 
(process com.android.nfc) has 
stopped unexpectedly. Please 
try again. 


Touch & hold an item and when it 
vibrates, drag it where you want. 

3 Of 6 J 





• • 


Thursday, July 12, 12 










Android null ptr deref 

* Send a CC PDU without first establishing a connection 


BAD PDU: 05a0060f636f6d2e616e64726f69642e6e7070 


0x80528flc in Handle_ConnectionOriented_IncommingFrame () 
from /home/cmiller/debugging/libnfc.so 
• • • 

(gdb) x/i $pc 

0x80528flc <Handle_ConnectionOriented_IncommingFrame+952>: stmia r3, {rO, rl} 

(gdb) print /x $r3 
$3 = 0x0 
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Android Double Free 


D/NdefPushServer(13178): created LLCP service socket 
D/NdefPushServer(13178): about to accept 
D/NFC JNI (13178): Discovered P2P Target 
D/NfcService(13178): LLCP Activation message 

E/NFC JNI (13178): phLibNfc_Llcp_CheckLlcp() returned 0x0Off[NFCSTATUS_FAILED] 
I/DEBUG ( 73): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 

I/DEBUG ( 73): Build fingerprint: ’google/sojua/crespo:2.3.3/GRI54/105536:user/ 


release-keys' 

I/DEBUG ( 73) 
I/DEBUG ( 73) 
I/DEBUG ( 73) 
I/DEBUG ( 73) 
I/DEBUG ( 73) 
I/DEBUG ( 73) 


pid: 13178, tid: 13178 »> com.android.nfc «< 

signal 11 (SIGSEGV), code 1 (SEGV MAPERR), fault addr 0000000c 


r0 

afd46494 

rl 

00000004 

r2 

00000000 

r3 

afd46450 

r4 

00295530 

r5 

afd46450 

r6 

00000000 

r7 

40002410 

r8 

00000001 

r9 

0000008a 

10 

00000002 

fp bed9725c 

ip 

afd46474 

sp 

bed97220 

lr 

afd!0e60 

pc 

afdl3d06 cpsr 00000030 


I/DEBUG 
I/DEBUG 
I/DEBUG 
I/DEBUG 



pc 00013d06 
pc 000144be 
pc 0004375c 
pc 00042b84 


/system/lib/libc.so, 

/system/lib/libc.so 
/system/lib/libnfc.so 
/system/lib/libnfc.so 


abortO 
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Source code 

2047 /* Llcp methods */ 

2048 

2049 static jboolean com_android_nfc_NfcManager_doCheckLlcp(JNIEnv *e, jobject o) 

2050 { 

2051 NFCSTATUS ret; 

2052 jboolean result = JNI_FALSE; 

2053 struct nfc_jni_native_data *nat; 

2054 struct nfc_jni_callback_data *cb_data; 

2055 

2056 

2057 CONCURRENCY_LOCK(); 

2058 

2059 /* Memory allocation for cb_data */ 

2060 cb_data = (struct nfc_jni_callback_data*) malloc (sizeof (nfc_jni_callback_data)) ; 
• • • 

2081 if(ret != NFCSTATUS_PENDING && ret != NFCSTATUS_SUCCESS) 

2082 { 

2083 LOGE("phLibNfc_Llcp_CheckLlcp() returned Ox 

%04x[%s] " , ret, nfc_jni_get_status_name (ret) ) ; 

2084 free (cb_data) ; 

2085 goto clean_and_return; 

2086 } 

• • • 

2101 clean_and_return: 

2102 nfc_cb_data_deinit (cb_data) ; 

2103 CONCURRENCYjUNLOCK(); 

2104 return result; 

2105 } 
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Status of vulnerability 


« Fixed in ICS (4.0.1) by Google (independent of me) 
« All Gingerbread devices are vulnerable 
« 92% of currently deployed Android devices 
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Other crashes 


I/DEBUG 

( 

73) 

#00 

pc 

00015ca4 

/system/lib/libc.so <libc android abort> 

I/DEBUG 

( 

73) 

#01 

pc 

00013e08 

/system/lib/libc.so <dlmalloc> 

I/DEBUG 

( 

73) 

#02 

pc 

0001423e 

/system/lib/libc.so <???> 

I/DEBUG 

( 

73) 

#03 

pc 

000142ac 

/system/lib/libc.so <dlrealloc> 

I/DEBUG 

( 

73) 

#04 

pc 

0001451a 

/system/lib/libc.so <realloc> 

I/DEBUG 

( 

73) 

#05 

pc 

OOOlabf0 

/system/lib/libbinder.so 

<android: 

:Parcel:: 

conti.nueWri.te> 




I/DEBUG 

( 

73) : 

#06 

pc 

OOOladOc 

/system/lib/libbinder.so 

<android: 

: Parcel:: 

growData> 




I/DEBUG 

( 

73) : 

#07 

pc 

0001ae68 

/system/lib/libbinder.so 

<android: 

:Parcel:: 

wrltelnplace> 





DEBUG ( 73): #08 pc 0001aea8 /system/lib/libbinder.so 

<android::Parcel::writestringl6> 

DEBUG ( 73): #09 pc 0001aed4 /system/lib/libbinder.so 

<android::Parcel::writestringl6> 

DEBUG ( 73): #10 pc 0001aef8 /system/lib/libbinder.so 

<android::Parcel::write!nterfaceToken> 
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Other crashes 


I/DEBUG 

( 

73) : 

#00 

pc 

00015ca4 

/system/lib/libc.so 

<libc android abort> 

I/DEBUG 

( 

73) : 

#01 

pc 

00013614 

/system/lib/libc.so 

<dlfree> 

I/DEBUG 

( 

73) : 

#02 

pc 

000144da 

/system/lib/libc.so 

<free> 

I/DEBUG 

( 

73) : 

#03 

pc 

0004996e 

/system/lib/libdvm.so 

<dvmDestroyJNI> 

I/DEBUG 

( 

73) : 

#04 

pc 

00053fda 

/system/lib/libdvm.so 


<dvmDetachCurrentThread> 






I/DEBUG 

( 

73) : 

#05 

pc 

000494da 

/system/lib/libdvm.so 

<???> 

I/DEBUG 

( 

73) : 

#06 

pc 

00005310 

/system/lib/libnfc jni.so 

<nfc jni 

client thread> 






I/DEBUG 

( 

73) : 

#07 

pc 

000118e4 

/system/lib/libc.so 

< thread entry> 
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Other crashes 


I/DEBUG 

( 

73) : 

#00 

pc 

00013256 

/system/lib/libc.so 

<dlfree> 

I/DEBUG 

( 

73) : 

#01 

pc 

000144da 

/system/lib/libc.so 

<free> 

I/DEBUG 

( 

73) : 

#03 

pc 

0004996e 

/system/lib/libdvm.so 

<dvmDestroyJNI> 

I/DEBUG 

( 

73) : 

#04 

pc 

00053fda 

/system/lib/libdvm.so 


<dvmDetachCurrentThread> 






I/DEBUG 

( 

73) : 

#05 

pc 

000494da 

/system/lib/libdvm. so 

<???> 

I/DEBUG 

( 

73) : 

#06 

pc 

00005310 

/system/lib/libnfc jni.so 

<nfc jni 

client thread> 






I/DEBUG " 

( 

73) : 

#07 

pc 

000118e4 

/system/lib/libc.so 

< thread entry> 


crash occurs in unlink_large_chunk in dlfreeO 
when invalid “back” ptr is referenced 
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Other crashes 


I/DEBUG 

( 

73) : 

#00 

pc 

00015ca4 

/system/lib/libc.so 

<libc android abort> 

I/DEBUG 

( 

73) : 

#01 

pc 

00013e08 

/system/lib/libc.so 

<dlmalloc> 

I/DEBUG 

( 

73) : 

#02 

pc 

000144be 

/system/lib/libc.so 

<calloc> 

I/DEBUG 

( 

73) : 

#03 

pc 

000509c8 

/system/lib/libdvm.so 


<dvmInitReferenceTable> 






I/DEBUG 

( 

73) : 

#04 

pc 

000533f8 

/system/lib/libdvm.so 

<???> 

I/DEBUG 

( 

73) : 

#05 

pc 

00053454 

/system/lib/libdvm.so 



<dvmAttachCurrentThread> 
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Beyond the NFC stack 


« What applications handle the actual NFC data 
« by default 

« without user interaction 
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At first glance 


USB connected 

™ 8:41am 

Hi there. 




■S' $ H PI QP 

^ New tag collected 

Hi there. 


1^1 
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boring! 


WA ■ 8:39 



Note 


Hi there 

View 


Discard 










Cool NFC magic 


* Android: Multiple NFC apps 
« Android: Beam 

« Nokia: Content sharing 

* Nokia: Bluetooth pairing 
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Multiple apps in Android 


« By default, Tags handles all/most tags 

« More apps can register to get NFC data 

« Must register for intent in their AndroidManifest.xml file 


E: intent-filter (line=43) 

E: action (line=44) 

A: 

android:name(0x01010003)="android.nfc.action.TAG_DISCOVERED" 
(Raw: "android.nfc.action.TAG_DISCOVERED") 

E: category (line=45) 

A: 

android: name (0x01010003) =" android, intent, category .DEFAULT" 
(Raw: "android.intent.category.DEFAULT") 


m E 'J' w $ ^ n mi fi 11:25 



Select an action 


NFC Taglnfo 


Ifc Ta § s 


See all your apps. 

Touch the Launcher icon. 
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Android Beam 

« Introduced in ICS 

« Two devices can share content via NFC 
■ LLCP + SNEP, fallback to LLCP + NPP 
« No user interaction from the client 


Touch to beam 
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More Android Beam 


« Implemented with Android intents 


* Browser, Contacts, and Tags register 


<!-- Accept inbound NFC URLs at a low priority --> 
<intent-filter android:priority= n -101"> 

<action 

android:name=" android.nfc.action.NDEF_DISCOVERED" /> 

<category 

android:name="android.intent.category.DEFAULT" /> 

<data android:scheme=" http" /> 

<data android:scheme=" https" /> 
</intent-filter> 


Touch to beam 
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Bigger attack 

Type File format 

Web related html 


css 



Audio mp3 


aac 

amr 

ogg 

wav 

Video mp4 



3pg 

Font 

ttf 


eot 


surface 
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Thanks to Josh Drake 
Wicherski) 


CloudStrike Team (esp Georg 


Android NFC attack surface 



Thursday, July 12, 12 






















Nokia Content Sharing 

NFC 

NFC 

Confirm sharing and 
connecting 

« Like Android Beam for Nokia phones 
« Again without user interaction 
« despite what settings would tell you 



Nokia N9 attack surface 



tiff 



amr 

wav 


ogg 

Documents (office-suite) 

pdf 


txt 


doc(x) 


xls(x) 


ppt(x) 
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MeeGo NFC attack surface 
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Choose public bugs... 


« For example, latest N9 firmware ships with libpng 
1.2.42 





Vulnerability Warning 

All "modem” versions of libpng through 1.5.9,1.4.10,1.2.48, and 1.0.58, respectively, fail to correctly handle maiioc {) failure for text chunks (in 
png_set_text_2 ()), which can lead to memory corruption and the possibility of execution of hostile code. This serious vulnerability has been 
assigned ID CVE-2011-3048 and is fixed in version 1.5.10 land versions 1.4.11. 1.2.49. and 1.0.59. respectively, on the older branches), released 

29 March 2012. 



Vulnerability Warning 

All versions of libpng from 1 .0.6 through 1 .5.8, 1 .4.8, 1 .2.46, and 1 .0.56, respectively, fail to correctly validate a heap allocation in 
png_decompress_chunk{ ), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious 
vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 land versions 1.4.9. 1247. and 1.0.57. respectively, on the older 
branches), released 18 February 2012. 
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Or private bugs... 


« PPTs 

==3572== Thread 2: 

==3572== Invalid free() / delete / delete[] / realloc() 

==3572== at 0x48347B4: free (vg_replace_malloc.c:366) 

==3572== by 0x5DE780F: free_mem (in /lib/libc-2.10.1.so) 

==3572== by 0x5DE71F7: _libc_freeres (in /lib/libc-2.10.1.so) 

==3572== by 0x48285B7: _vgnU_freeres (vg_preloaded.c:61) 

==3572== by 0x5DB5AC3: _libc_enable_asynccancel (libc-cancellation.c:66) 

==3572== by 0x6826CAF: ??? (in /lib/libglib-2.0.so.0.2800.4) 

==3572== Address 0x7491f30 is not stack’d, malloc'd or (recently) free’d 

« PDFs 

==4002== Invalid write of size 1 

==4002== at 0x7290FB4: SplashXPathScanner::clipAALine(SplashBitmap*, int*, 
int*, int) (in /usr/lib/libpoppler.so.13.0.0) 

==4002== Address 0xf8dc5090 is not stack'd, malloc'd or (recently) free'd 
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Another MeeGo (Koffice) bug 


bool STD::read( U16 baseSize, U16 totalSize, OLEStreamReader* stream, bool preservePos ) 
• • • 

grupxLen = totalSize - ( stream->tell() - startOffset ); 

grupx = new U8[ grupxLen ]; 

int offset = 0; 

for ( 08 i = 0; i < cupx; ++i) { 

U16 cbUPX = stream->readU16(); // size of the next UPX 

stream->seek( -2, G_SEEK_CUR ); // rewind the "lookahead" 
cbUPX += 2; // ...and correct the size 

for ( U16 j = 0; j < cbUPX; ++j ) { 

grupx[ offset + j ] = stream->readU8(); // read the whole UPX 

} 


koffice-2.3.3/filters/kword/msword-odf/wv2/src/styles.cpp 
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An exercise for the reader... 

length of copy (little endian) data copied 


6680h 

^0 

00 

00 

00 

00 

00 

00 

00 

40 

00 

3L 


m " J. 

TTF 

02 

00 


6690h 


00 

OC 

04 

00 

00 

00 

JSL. 



“00 

00 

06 

00 

4E 

00 

0.N. 

66A0h 


00 

72 

00 



m tr 

00 

6C 

00 

00 

00 

02 

00 

00 

00 

O • IT a III ■ ZJi a 1 a a a a a a a 

66B0h 

OF 

18 

4 1 4 

*41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

.. AAAAAAAAAAAAAA 

66C0h 

41 

41 

41 

A 1 

41 

41 

41 

41 

4 ± 

41 

41 

/I 1 

4 1 

41 

4 1 

41 

41 

AAAAAAA-AAAAAAAAA 

66D0h 

1 41 

41 

41 

A 1 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 

66E0h 

41 

41 

A 1 
*1 ± 

4 1 

41 

41 

A 1 

4 1 

A 1 

4± 

4 1 

41 

41 

A 1 

41 

41 

4 1 

41 

ft -L 

AAAAAAAAAAAAAAAA 

66F0h 

1 41 

41 

41 

41 

41 

41 

41 

41 

4 1 

41 

41 

41 

41 

41 

41 

41 


6700h 

41 

41 

41 

A 1 

4 1 

41 

41 

41 

41 

A 1 

H 1 

41 

41 

41 

41 

A 1 

4 1 

41 

41 

AAAAAAAAAAAAAAAA 

6710h 

41 

41 

41 

4 1 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

41 

AAAAAAAAAAAAAAAA 


Program received signal SIGSEGV, Segmentation fault. 

0xl8ebffaa in ?? () 

(gdb) bt 

#0 0xl8ebffaa in ?? () 

#1 0x41f61f64 in wvWare::Parser::^Parser() () from /usr/lib/libkowv2.so.9 

#2 0x41f6537c in ?? () from /usr/lib/libkowv2.so.9 
#3 0x41f6537c in ?? () from /usr/lib/libkowv2.so.9 
(gdb) x/16i 0x41f61f50 
• • • 

0x41f61f5c <_ZN6wvWare6ParserD2Ev+232>: ldr rl2, [r3, #4] 

0x41f61f60 <_ZN6wvWare6ParserD2Ev+236>: blx rl2 
(gdb) print /x $r3 
$3 = 0x41414141 
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N9 Bluetooth pairing 


nfc Pairing with Nokia N9 
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N9 Bluetooth pairing 


« Device will bluetooth pair with another device given a 
special NDEF message 

« Prompts user only if (non-default) “Confirm sharing and 
connecting” option chosen 


[0000] d4 0c 27 6e 6f 6b 69 61 2e 63 6f 6d 3a 62 74 01 ..’nokia.com:bt. 

[0010] 00 Id 4f 92 90 e2 20 04 18 31 32 33 34 00 00 00 ..0.1234... 

[0020] 00 00 00 00 00 00 00 00 00 0c 54 65 73 74 20 6d .Test m 

[0030] 61 63 62 6f 6f 6b acbook 
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My whole life I’ve been 
looking for this 
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When I should have been 
looking for this: 
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Xsv 

m w m w + w m w 

• w **t w i* 

+ w * # w # 

• • • • 

% + m + 

• • • • 

• • • • 

• • • • 

#•§*## 
• • • • 

• • • • 

• • • • 

• • • • 

• tit 


55H 

••••**« 

♦!*!•!« 

« 


••••• 


•Wil; 


•!•:•!« 
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Turn on confirm sharing! 



Connect? 

This device will be added as trusted 
Bluetooth device to enable easy 
connections via NFC 

Yes 

No 
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Summary 


« NFC opens up a new avenue for nearby server-side 
attacks without user interaction 

■ NFC stacks are hard to test 

■ I’m releasing code to help researchers do this 

« Vendors should allow option to confirm before NFC 
data passed to applications 

■ Enable this option by default 
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Code drop 


« Fuzzers, testcases, crashers, etc 
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Questions? 


« Contact me 

* charlie.miller@accuvant.com 



